The latest articles on Forem by Mister k. (@hmk). https://forem.com/hmk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2558829%2F9e542cb9-981f-4018-88b5-3dd7c9de504b.png https://forem.com/hmk en Mister k. Wed, 11 Dec 2024 19:38:13 +0000 https://forem.com/hmk/til-one-missing-encrypted-prefix-23m-android-security-breach-3m10 https://forem.com/hmk/til-one-missing-encrypted-prefix-23m-android-security-breach-3m10 <p><strong>TL;DR</strong>: A food delivery app's simple SharedPreferences implementation led to a massive data breach. The fix? One line of code they never wrote.</p> <p>Here's the million-dollar mistake:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="c1">// The Costly Mistake </span> <span class="nc">SharedPreferences</span> <span class="n">userPrefs</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="nf">getSharedPreferences</span><span class="p">(</span> <span class="s">"user_data"</span><span class="p">,</span> <span class="nc">Context</span><span class="p">.</span><span class="nc">MODE_PRIVATE</span> <span class="p">)</span> <span class="n">userPrefs</span><span class="p">.</span><span class="nf">edit</span><span class="p">()</span> <span class="p">.</span><span class="nf">putString</span><span class="p">(</span><span class="s">"payment_data"</span><span class="p">,</span> <span class="n">sensitivePaymentData</span><span class="p">)</span> <span class="p">.</span><span class="nf">putString</span><span class="p">(</span><span class="s">"user_data"</span><span class="p">,</span> <span class="n">sensitiveUserData</span><span class="p">)</span> <span class="p">.</span><span class="nf">apply</span><span class="p">()</span> </code></pre> </div> <p>The 5-minute fix they needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="c1">// The Simple Fix </span> <span class="kd">val</span> <span class="py">masterKey</span> <span class="p">=</span> <span class="nc">MasterKey</span><span class="p">.</span><span class="nc">Builder</span><span class="p">(</span><span class="n">context</span><span class="p">)</span> <span class="p">.</span><span class="nf">setKeyScheme</span><span class="p">(</span><span class="nc">MasterKey</span><span class="p">.</span><span class="nc">KeyScheme</span><span class="p">.</span><span class="nc">AES256_GCM</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">()</span> <span class="kd">val</span> <span class="py">encryptedPrefs</span> <span class="p">=</span> <span class="nc">EncryptedSharedPreferences</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">context</span><span class="p">,</span> <span class="s">"encrypted_user_data"</span><span class="p">,</span> <span class="n">masterKey</span><span class="p">,</span> <span class="nc">EncryptedSharedPreferences</span><span class="p">.</span><span class="nc">PrefKeyEncryptionScheme</span><span class="p">.</span><span class="nc">AES256_SIV</span><span class="p">,</span> <span class="nc">EncryptedSharedPreferences</span><span class="p">.</span><span class="nc">PrefValueEncryptionScheme</span><span class="p">.</span><span class="nc">AES256_GCM</span> <span class="p">)</span> </code></pre> </div> <p>The damage? 200k users compromised, $2.3M in losses, and a massive trust breach that could have been prevented with one implementation change.</p> <p>After seeing patterns like this repeated across dozens of apps, I worked with security experts to document the most common "small mistake = big problems" scenarios in Android development.</p> <p>If you want to prevent similar costly mistakes, check out our practical security guide (link in bio). It's full of real breach examples and their fixes.</p> android kotlin androiddev security